passwd Command as a FIPS 140 Consumer

The passwd command is a consumer of the userland Cryptographic
Framework. Two configuration files, /etc/security/crypt.conf and
/etc/security/policy.conf, determine which password hash the system
uses.

The passwd command calls the crypt() function by using
the PAM modules pam_authtok_store.so.1 and
pam_unix_auth.so.1. The crypt() function dynamically
loads plugins from the message digest library, libmd(), based on entries
in the crypt.conf file. Among the plugins are the
SHA256, SHA512, and MD5 password
hash algorithms. The policy.conf file lists the password hashes from
the crypt.conf file that are in effect on the system. By default, the
policy.conf file does not allow the use of the MD5
password hash.

Note -
The cryptographic password hash policy in the
/etc/security/policy.conf file promotes
interoperability with systems that use Blowfish as a password hash. To promote FIPS 140
security, remove the Blowfish algorithm (2a) from the
CRYPT_ALGORITHMS_ALLOW=2a,5,6 entry in the
policy.conf file.